diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix index e2b4e00..af140fa 100755 --- a/hosts/deertopia/configuration.nix +++ b/hosts/deertopia/configuration.nix @@ -11,7 +11,8 @@ users.users = [ "lain" - "besties" + "msyds" + "liv" ]; impermanence = { @@ -25,6 +26,9 @@ # are expected to consistently identify machines... I think. I mostly # just think it's annoying to edit ~/.ssh/known_hosts all the time. "/etc/ssh" + + # TODO: move + "/home/liv" ]; rollback = { enable = true; @@ -40,6 +44,7 @@ deertopia = { authelia.enable = true; + www.enable = true; bepasty.enable = true; jellyfin.enable = false; lldap.enable = true; @@ -63,19 +68,6 @@ # sabnzbd.enable = true; # slskd.enable = true; }; - - # A simple default webpage. This should probably live somewhere else. - nginx.vhosts."www" = { - vhostName = "deertopia.net"; - vhost = { - forceSSL = true; - enableACME = true; - - locations."/" = { - index = "index.html"; - }; - }; - }; }; }; @@ -120,8 +112,7 @@ }; }; - # TODO: Move to defaults. - users.mutableUsers = false; + users.mutableUsers = true; nix = { settings = { diff --git a/modules/nixos/deertopia/lldap/pam.nix b/modules/nixos/deertopia/lldap/pam.nix index 3b852ad..d12ceaa 100644 --- a/modules/nixos/deertopia/lldap/pam.nix +++ b/modules/nixos/deertopia/lldap/pam.nix @@ -7,6 +7,16 @@ in { }; # See https://github.com/lldap/lldap/blob/main/example_configs/pam/README.md. + + # Required imperative configuration: you will need to add the following custom + # attributes to the user schema in the LLDAP web UI. + # + # • uidNumber (integer) + # • gidNumber (integer, multiple values) + # • homeDirectory (string) + # • unixShell (string) + # • sshPublicKey (string) (only if you’re setting up SSH Public Key Sync) + config = lib.mkIf cfg.enable { sydnix.sops.secrets = let @@ -19,6 +29,32 @@ in { sssd-environment = {}; }; + # TODO: The existence of a dynamic set of users leads to some complexities + # when combined with Impermanence. Static users (i.e. those defined in the + # NixOS config) shall opt in to Impermanence via the Home-manager setting, + # but "dynamic" users (i.e. those per LDAP/PAM) should be persisted + # unconditionally. Implementing this behaviour takes quite the hack: + # + # • /home is persisted. + # + # • A impersistent directory /transient-home is created. + # + # • "Dynamic" users are assigned subdirectories of /home like usual. + # Since /home is persisted, so are the users' individual home + # directories. + # + # • The home directories of "static" users (that are opted in to + # Impermanence) are created at /transient-home/«user» and bind-mounted + # to /home/«user». + + security.pam.services."ldap".makeHomeDir = true; + + # For synchronizations of SSH keys. + services.openssh.settings = { + AuthorizedKeysCommand = lib.getExe' pkgs.sssd "sss_ssh_authorizedkeys"; + AuthorizedKeysCommandUser = "nobody"; + }; + services.sssd = let inherit (config.sydnix.deertopia.lldap) baseDN; @@ -71,7 +107,7 @@ in { ldap_user_shell = unixShell # Uncomment for SSH Key Sync setup - #ldap_user_ssh_public_key = sshPublicKey + ldap_user_ssh_public_key = sshPublicKey # Group mappings # Put your LDAP dc here diff --git a/modules/nixos/deertopia/nginx.nix b/modules/nixos/deertopia/nginx.nix index 290616f..aa720bd 100644 --- a/modules/nixos/deertopia/nginx.nix +++ b/modules/nixos/deertopia/nginx.nix @@ -101,35 +101,5 @@ in }; }) (builtins.attrNames cfg.vhosts)); - - # services.nginx.virtualHosts."deertopia.net" = { - # root = "${cfg.www.root}/www"; - - # # addSSL = true; - # forceSSL = true; - # enableACME = true; - - # locations."/" = { - # index = "index.html"; - # }; - # }; - - # system.activationScripts.initialiseDeertopiaRoot.text = - # let - # # FIXME: Use `lib.strings.toShellVar`. - # inherit (cfg) root group user; - # in '' - # mkdir -p "${root}" - # chown -R "${user}:${group}" "${root}" - # chmod -R 775 "${root}" - - # ${lib.toShellVar "dirs" - # (builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts))} - # for i in "''${dirs[@]}"; do - # mkdir -p "$i" - # chown -R "${user}:${group}" "$i" - # chmod -R 775 "$i" - # done - # ''; }; } diff --git a/modules/nixos/deertopia/www.nix b/modules/nixos/deertopia/www.nix new file mode 100644 index 0000000..b7a9b1b --- /dev/null +++ b/modules/nixos/deertopia/www.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.www; +in { + options.sydnix.deertopia.www = { + enable = lib.mkEnableOption "www.deertopia.net"; + }; + + config = lib.mkIf cfg.enable { + users.groups.www = {}; + + users.users.nginx.extraGroups = [ "www" ]; + + systemd.tmpfiles.settings."10-www" = + let + f = user: + let e = { inherit user; group = "www"; mode = "2755"; }; + in { z = e; v = e; }; + in { + "/www" = f "root"; + "/www/~msyds" = f "msyds"; + "/www/~liv" = f "liv"; + }; + + sydnix.impermanence.directories = [ "/www" ]; + + sydnix.deertopia.nginx.vhosts."www" = { + vhostName = "deertopia.net"; + directory = "/www"; + vhost = { + forceSSL = true; + enableACME = true; + + extraConfig = '' + location /~msyds/ { + index index.html; + } + location /~liv/ { + index index.html; + } + location / { + index index.html; + } + ''; + + # locations."/" = { + # index = "index.html"; + # }; + # locations."/~msyds" = { + # index = "\\~msyds/index.html"; + # }; + # locations."/~liv" = { + # index = "\\~liv/index.html"; + # }; + }; + }; + }; +} diff --git a/public-keys/ssh/liv.pub b/public-keys/ssh/liv.pub new file mode 100644 index 0000000..9b6fbb8 --- /dev/null +++ b/public-keys/ssh/liv.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERHmO7AdaIvu9HiBMOgjo09iTxgZpnILMgd7+1h7Wsn facem@DESKTOP-40PNQA8 diff --git a/public-keys/ssh/windows.pub b/public-keys/ssh/windows.pub new file mode 100644 index 0000000..fd9fde0 --- /dev/null +++ b/public-keys/ssh/windows.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa+0xeHKDW7T6SIj/QnQVotgkgWXfeGqtWUn9AHh07ECXVIKjrjlPOz72zAB0b/tP6D2WpYlIHRsfXcAAWThORNL83fU72COyEQDOEyu43rRTU3T7CjiICRwJkVC20LfEDor+Z3tD2qGS7r/FNzTmCIH8k9USZwlW4YPAP9ijHWn6GqTjgsRL4jxPM5A2yM+NpUK66U9HPvCi3eH8QTXwhFpW3Ia9SiGzU/UCcd7P9NSTCvZg4H2s6kBPNA+iP+/9u290Lw86n60XFQnsjGEszv1ErDdVpy45BUzjNElZVoktpdSO03v/rIU6QQHa/KSHcY1zmtTBgmIRZkqL29t+H dacom@doktor diff --git a/users/lain/default.nix b/users/lain/default.nix index c6c1414..2c6a933 100755 --- a/users/lain/default.nix +++ b/users/lain/default.nix @@ -27,6 +27,7 @@ ../../public-keys/ssh/crumble-at-fruitbook.pub ../../public-keys/ssh/crumb-at-nixos-testbed.pub ../../public-keys/ssh/termux.pub + ../../public-keys/ssh/windows.pub ]; }; diff --git a/users/liv/default.nix b/users/liv/default.nix new file mode 100755 index 0000000..bc182ef --- /dev/null +++ b/users/liv/default.nix @@ -0,0 +1,28 @@ +{ + systemConfiguration = { config, ... }: { + isNormalUser = true; + + # Unfortunately must be hard-coded so we can attribute it to the + # corresponding LDAP user. + uid = 1007; + + extraGroups = [ "www" ]; + + openssh.authorizedKeys.keyFiles = [ + ../../public-keys/ssh/liv.pub + ../../public-keys/ssh/windows.pub + ]; + }; + + homeConfiguration = { config, lib, pkgs, ... }: { + programs.bash.enable = true; + programs.emacs.enable = true; + + home.packages = [ + pkgs.nano + ]; + + # Don't touch! + home.stateVersion = "18.09"; + }; +} diff --git a/users/msyds/default.nix b/users/msyds/default.nix new file mode 100755 index 0000000..63f1ada --- /dev/null +++ b/users/msyds/default.nix @@ -0,0 +1,73 @@ +{ + systemConfiguration = { config, ... }: { + isNormalUser = true; + + # Unfortunately must be hard-coded so we can attribute it to the + # corresponding LDAP user. + uid = 1006; + + # TODO: Don't hard-code `persist`. Use + # config.sydnix.impermanence.persistGroupName. + extraGroups = [ + # Admin account. + "wheel" + # Default permissions to modify /persist. + "persist" + # Can modify the files served by Nginx. + "nginx" + # Can modify Deertopia's git-annex repos. + "annex" + # Can modify Deertopia's Jellyfin libraries. + "jellyfin" + # Can access slskd's downloads. + "slskd" + # Can access Nixarr's media. + "media" + "www" + ]; + + initialHashedPassword = + "$y$j9T$aEFDDwdTZbAc6VQRXrkBJ0$K8wxTGTWDihyX1wxJ.ZMH//wmQFfrGGUkLkxIU0Lyq8"; + + openssh.authorizedKeys.keyFiles = [ + ../../public-keys/ssh/crumb-at-guix-rebound.pub + ../../public-keys/ssh/crumb-at-nixos-testbed.pub + ../../public-keys/ssh/termux.pub + ]; + }; + + homeConfiguration = { config, lib, pkgs, ... }: { + home.file.".ssh/id_ed25519".source = + config.lib.file.mkOutOfStoreSymlink + "/persist/private-keys/ssh/lain-at-deertopia"; + + home.file.".ssh/id_ed25519.pub".source = + ../../public-keys/ssh/lain-at-deertopia.pub; + + programs.bash.enable = true; + + home.sessionVariables = { + "EDITOR" = "nvim"; + "VISUAL" = "nvim"; + }; + + home.packages = [ + pkgs.btop + ]; + + sydnix = { + impermanence = { + enable = true; + directories = [ + ".ssh" + "public" + ]; + }; + users.crumb.git.enable = true; + users.crumb.nvim.enable = true; + }; + + # Don't touch! + home.stateVersion = "18.09"; + }; +} diff --git a/users/msyds/files.nix b/users/msyds/files.nix new file mode 100644 index 0000000..41c54c9 --- /dev/null +++ b/users/msyds/files.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +let mutableSymlink = config.lib.file.mkOutOfStoreSymlink; +in { + home.file.".ssh/id_ed25519".source = + mutableSymlink "/persist/private-keys/ssh/lain-at-deertopia"; + home.file.".ssh/id_ed25519.pub".source = + ../../public-keys/ssh/lain-at-deertopia.pub; +}